The breach was caused by a lost flash drive that included names, addresses, and health information of 280,000 people insured by Keystone Mercy Health Plan and AmeriHealth Mercy Health Plans, both based in Philadelphia. According to an article in Compliance in the Cloud:

The breach, which involves the records of Medicaid recipients, is the first such Medicaid data breach in Pennsylvania since at least 1997, according to the state's Department of Welfare, which has oversight.

The breach, one of the largest of the year, is bad enough. That it wasn't disclosed to affected members until the Philadelphia Inquirer began to investigate is disturbing. This follows on the heels of a breach in New York state that happened in July but it appears news of it may not have been released until September (hopefully the potential victims were notified earlier).

The Pennsylvania law is vague about the time frame that can pass before affected parties should be notified -- it shouldn't be an unreasonable amount of time. However, the Inquirer reported:

The federal website explaining the law says that breaches must be reported "without unreasonable delay and in no case later than 60 days."

Medicaid is funded jointly by federal and state governments. Pennsylvania's agreement appears to require a report within two days. Myers said it was unclear when the companies reported the incident. The federal government did not respond on time.

Shouldn't the innocent victims of a data breach learn about it immediately?